mbedtls_adapter.c 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. /* Copyright (C) 2017 Fortanix, Inc.
  2. This file is part of Graphene Library OS.
  3. Graphene Library OS is free software: you can redistribute it and/or
  4. modify it under the terms of the GNU Lesser General Public License
  5. as published by the Free Software Foundation, either version 3 of the
  6. License, or (at your option) any later version.
  7. Graphene Library OS is distributed in the hope that it will be useful,
  8. but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. GNU Lesser General Public License for more details.
  11. You should have received a copy of the GNU Lesser General Public License
  12. along with this program. If not, see <http://www.gnu.org/licenses/>. */
  13. #include <errno.h>
  14. #include <stdint.h>
  15. #include <limits.h>
  16. #include "api.h"
  17. #include "pal.h"
  18. #include "pal_crypto.h"
  19. #include "pal_error.h"
  20. #include "pal_debug.h"
  21. #include "assert.h"
  22. #include "crypto/mbedtls/mbedtls/cmac.h"
  23. #include "crypto/mbedtls/mbedtls/sha256.h"
  24. #include "crypto/mbedtls/mbedtls/rsa.h"
  25. #define BITS_PER_BYTE 8
  26. /* This is declared in pal_internal.h, but that can't be included here. */
  27. int _DkRandomBitsRead(void *buffer, int size);
  28. /* Wrapper to provide mbedtls the RNG interface it expects. It passes an
  29. * extra context parameter, and expects a return value of 0 for success
  30. * and nonzero for failure. */
  31. static int RandomWrapper(void *private, unsigned char *data, size_t size)
  32. {
  33. __UNUSED(private);
  34. return _DkRandomBitsRead(data, size);
  35. }
  36. #define BITS_PER_BYTE 8
  37. int lib_SHA256Init(LIB_SHA256_CONTEXT *context)
  38. {
  39. mbedtls_sha256_init(context);
  40. mbedtls_sha256_starts(context, 0 /* 0 = use SSH256 */);
  41. return 0;
  42. }
  43. int lib_SHA256Update(LIB_SHA256_CONTEXT *context, const uint8_t *data,
  44. uint64_t len)
  45. {
  46. /* For compatibility with other SHA256 providers, don't support
  47. * large lengths. */
  48. if (len > UINT32_MAX) {
  49. return -PAL_ERROR_INVAL;
  50. }
  51. mbedtls_sha256_update(context, data, len);
  52. return 0;
  53. }
  54. int lib_SHA256Final(LIB_SHA256_CONTEXT *context, uint8_t *output)
  55. {
  56. mbedtls_sha256_finish(context, output);
  57. /* This function is called free, but it doesn't actually free the memory.
  58. * It zeroes out the context to avoid potentially leaking information
  59. * about the hash that was just performed. */
  60. mbedtls_sha256_free(context);
  61. return 0;
  62. }
  63. int lib_AESCMAC(const uint8_t *key, uint64_t key_len, const uint8_t *input,
  64. uint64_t input_len, uint8_t *mac, uint64_t mac_len) {
  65. mbedtls_cipher_type_t cipher;
  66. switch (key_len) {
  67. case 16:
  68. cipher = MBEDTLS_CIPHER_AES_128_ECB;
  69. break;
  70. case 24:
  71. cipher = MBEDTLS_CIPHER_AES_192_ECB;
  72. break;
  73. case 32:
  74. cipher = MBEDTLS_CIPHER_AES_256_ECB;
  75. break;
  76. default:
  77. return -PAL_ERROR_INVAL;
  78. }
  79. const mbedtls_cipher_info_t *cipher_info =
  80. mbedtls_cipher_info_from_type(cipher);
  81. if (mac_len < cipher_info->block_size) {
  82. return -PAL_ERROR_INVAL;
  83. }
  84. return mbedtls_cipher_cmac(cipher_info,
  85. key, key_len * BITS_PER_BYTE,
  86. input, input_len, mac);
  87. }
  88. int lib_AESCMACInit(LIB_AESCMAC_CONTEXT * context,
  89. const uint8_t *key, uint64_t key_len)
  90. {
  91. int ret;
  92. switch (key_len) {
  93. case 16:
  94. context->cipher = MBEDTLS_CIPHER_AES_128_ECB;
  95. break;
  96. case 24:
  97. context->cipher = MBEDTLS_CIPHER_AES_192_ECB;
  98. break;
  99. case 32:
  100. context->cipher = MBEDTLS_CIPHER_AES_256_ECB;
  101. break;
  102. default:
  103. return -PAL_ERROR_INVAL;
  104. }
  105. const mbedtls_cipher_info_t *cipher_info =
  106. mbedtls_cipher_info_from_type(context->cipher);
  107. if ( ( ret = mbedtls_cipher_setup( &context->ctx, cipher_info ) ) != 0 )
  108. return ret;
  109. return mbedtls_cipher_cmac_starts( &context->ctx, key,
  110. key_len * BITS_PER_BYTE );
  111. }
  112. int lib_AESCMACUpdate(LIB_AESCMAC_CONTEXT * context, const uint8_t * input,
  113. uint64_t input_len)
  114. {
  115. return mbedtls_cipher_cmac_update( &context->ctx, input, input_len );
  116. }
  117. int lib_AESCMACFinish(LIB_AESCMAC_CONTEXT * context, uint8_t * mac,
  118. uint64_t mac_len)
  119. {
  120. const mbedtls_cipher_info_t *cipher_info =
  121. mbedtls_cipher_info_from_type(context->cipher);
  122. int ret = -PAL_ERROR_INVAL;
  123. if (mac_len < cipher_info->block_size)
  124. goto exit;
  125. ret = mbedtls_cipher_cmac_finish( &context->ctx, mac );
  126. exit:
  127. mbedtls_cipher_free( &context->ctx );
  128. return( ret );
  129. }
  130. int lib_RSAInitKey(LIB_RSA_KEY *key)
  131. {
  132. /* For now, we only need PKCS_V15 type padding. If we need to support
  133. * multiple padding types, I guess we'll need to add the padding type
  134. * to this API. We might need to add a wrapper type around the crypto
  135. * library's key/context type, since not all crypto providers store this
  136. * in the conext, and instead require you to pass it on each call. */
  137. /* Last parameter here is the hash type, which is only used for
  138. * PKCS padding type 2.0. */
  139. mbedtls_rsa_init(key, MBEDTLS_RSA_PKCS_V15, 0);
  140. return 0;
  141. }
  142. int lib_RSAGenerateKey(LIB_RSA_KEY *key, uint64_t length_in_bits, uint64_t exponent)
  143. {
  144. if (length_in_bits > UINT_MAX) {
  145. return -PAL_ERROR_INVAL;
  146. }
  147. if (exponent > UINT_MAX || (int) exponent < 0) {
  148. return -PAL_ERROR_INVAL;
  149. }
  150. return mbedtls_rsa_gen_key(key, RandomWrapper, NULL, length_in_bits,
  151. exponent);
  152. }
  153. int lib_RSAExportPublicKey(LIB_RSA_KEY *key, uint8_t *e, uint64_t *e_size,
  154. uint8_t *n, uint64_t *n_size)
  155. {
  156. int ret;
  157. /* Public exponent. */
  158. if ((ret = mbedtls_mpi_write_binary(&key->E, e, *e_size)) != 0) {
  159. return ret;
  160. }
  161. /* Modulus. */
  162. if ((ret = mbedtls_mpi_write_binary(&key->N, n, *n_size)) != 0) {
  163. return ret;
  164. }
  165. return 0;
  166. }
  167. int lib_RSAImportPublicKey(LIB_RSA_KEY *key, const uint8_t *e, uint64_t e_size,
  168. const uint8_t *n, uint64_t n_size)
  169. {
  170. int ret;
  171. /* Public exponent. */
  172. if ((ret = mbedtls_mpi_read_binary(&key->E, e, e_size)) != 0) {
  173. return ret;
  174. }
  175. /* Modulus. */
  176. if ((ret = mbedtls_mpi_read_binary(&key->N, n, n_size)) != 0) {
  177. return ret;
  178. }
  179. /* This length is in bytes. */
  180. key->len = (mbedtls_mpi_bitlen(&key->N) + 7) >> 3;
  181. return 0;
  182. }
  183. int lib_RSAVerifySHA256(LIB_RSA_KEY *key, const uint8_t *signature,
  184. uint64_t signature_len, uint8_t *signed_data_out,
  185. uint64_t signed_data_out_len)
  186. {
  187. size_t real_data_out_len;
  188. /* The mbedtls decrypt API assumes that you have a memory buffer that
  189. * is as large as the key size and take the length as a parameter. We
  190. * check, so that in the event the caller makes a mistake, you'll get
  191. * an error instead of reading off the end of the buffer. */
  192. if (signature_len != key->len) {
  193. return -PAL_ERROR_INVAL;
  194. }
  195. int ret = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(key, NULL, NULL,
  196. MBEDTLS_RSA_PUBLIC,
  197. &real_data_out_len,
  198. signature,
  199. signed_data_out,
  200. signed_data_out_len);
  201. if (ret == 0) {
  202. if (real_data_out_len != SHA256_DIGEST_LEN) {
  203. return -PAL_ERROR_INVAL;
  204. }
  205. }
  206. return ret;
  207. }
  208. int lib_RSAFreeKey(LIB_RSA_KEY *key)
  209. {
  210. mbedtls_rsa_free(key);
  211. return 0;
  212. }